Date: Mon, 6 Mar 2023 13:05:29 GMT From: =?utf-8?Q?Corvin=20K=C3=B6hne?= <corvink@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 577ddca90877 - main - bhyve: add cap limits for ipc socket Message-ID: <202303061305.326D5TcZ079469@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by corvink: URL: https://cgit.FreeBSD.org/src/commit/?id=577ddca90877e377e5b40c8baa15fa5b7a3c9965 commit 577ddca90877e377e5b40c8baa15fa5b7a3c9965 Author: Vitaliy Gusev <gusev.vitaliy@gmail.com> AuthorDate: 2023-03-06 11:36:40 +0000 Commit: Corvin Köhne <corvink@FreeBSD.org> CommitDate: 2023-03-06 13:04:11 +0000 bhyve: add cap limits for ipc socket Reviewed by: corvink, markj MFC after: 1 week Sponsored by: vStack Differential Revision: https://reviews.freebsd.org/D38856 --- usr.sbin/bhyve/snapshot.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/usr.sbin/bhyve/snapshot.c b/usr.sbin/bhyve/snapshot.c index 6143f6f3a489..37aba32a1929 100644 --- a/usr.sbin/bhyve/snapshot.c +++ b/usr.sbin/bhyve/snapshot.c @@ -1517,6 +1517,9 @@ init_checkpoint_thread(struct vmctx *ctx) int socket_fd; pthread_t checkpoint_pthread; int err; +#ifndef WITHOUT_CAPSICUM + cap_rights_t rights; +#endif memset(&addr, 0, sizeof(addr)); @@ -1547,6 +1550,13 @@ init_checkpoint_thread(struct vmctx *ctx) goto fail; } +#ifndef WITHOUT_CAPSICUM + cap_rights_init(&rights, CAP_ACCEPT, CAP_READ, CAP_RECV, CAP_WRITE, + CAP_SEND, CAP_GETSOCKOPT); + + if (caph_rights_limit(socket_fd, &rights) == -1) + errx(EX_OSERR, "Unable to apply rights for sandbox"); +#endif checkpoint_info = calloc(1, sizeof(*checkpoint_info)); checkpoint_info->ctx = ctx; checkpoint_info->socket_fd = socket_fd;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202303061305.326D5TcZ079469>